About this blog

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.

Search Deloitte Insights

Related Deloitte Insights

Greg Scott, U.S. Health Plans leader and vice chairman of Deloitte LLP, shares his perspective on disruptive trends impacting health plans as they respond to the rise of consumerism. In 2015, watch for innovation in new products, better technologies, collaborative business models and improved consumer experiences. He also discusses growth opportunities and how rapidly deployable technology and sophisticated analytics will likely be key for health plans to bring their strategies to life.

Homi Kapadia, U.S. Life Sciences leader and vice chairman of Deloitte LLP, anticipates what is coming in 2015 for the industry, including market consolidation, new models of innovation, growth in specialty therapeutic areas, R&D efficiency and the data revolution. He also discusses what businesses should be mindful of as they plan for growth and how big data will likely become an integral part of life sciences organizations encompassing the entire value chain.

With huge amounts of data moving back and forth beyond organizational walls between health plans, providers, business partners and consumers, the frequency of cyberattacks is steadily increasing. At the same time, regulators are moving to increase the level of security and privacy of health information. To move beyond compliance and become strategic about risk, companies should consider five steps to become more secure, vigilant and resilient against cyberthreats.

Deloitte Views & Analysis

Risk modeling has been prevalent for years in certain industries in which taking calculated risk is integral to the business, such as financial services and energy. Wider availability of data and sophisticated analysis capabilities is making modeling more practical; at the same time, the need to cope with an increasingly risky environment is making it more valued. Dr. Patchin Curtis, leader of Deloitte’s Center for Risk Modeling and Simulation, discusses how risk modeling can be made an integral part of enterprise risk management.

With reputation risks gaining increasing attention, companies plan to address reputation risk by investing in technology, such as analytical and brand monitoring tools, to help strengthen their risk-sensing capabilities, according to the “2014 Reputation@Risk” survey of more than 300 executives, conducted by Forbes Insights on behalf of Deloitte Touche Tohmatsu Limited. They also plan to invest in data, including traditional media/negative mention monitoring, social media data, surveying and other data sources.

Concerns are being raised over big data’s impact on privacy. There are fears that fundamental protections are now challenged by the sheer velocity, veracity and volume of data and how it can be manipulated. The traditional idea of a trade-off between privacy and innovation is giving way to a broader use of analytics, which can protect personal privacy while driving strategic goals.

In 2007, Dr. Jonathan Reiner, cardiologist to former U.S. Vice President Dick Cheney, ordered the manufacturer of Cheney’s defibrillator to disable the device’s wireless capability, according to “60 Minutes.” Dr. Reiner was concerned terrorists could remotely send a signal to the device, telling it to shock his patient into cardiac arrest.

A few years later, security researchers began demonstrating the ability to hack medical devices like pacemakers, defibrillators and insulin pumps. When they exposed those devices’ security vulnerabilities to the public, a number of stakeholders including health care providers, the Food and Drug Administration, and Congressional leaders took note. Now, the prospect of a patient being injured (or even dying) because of a device-level security vulnerability poses a new—and chilling—risk.

As if potential threats to patient safety weren’t worrisome enough, health care providers have additional concerns about the security of the medical devices connected to their networks: Hackers and other malevolent actors like hostile nation states and organized crime rings can potentially exploit security vulnerabilities to gain unauthorized access to providers’ systems. Once inside, they could steal patients’ medical or financial information, disrupt service by taking patient or administrative systems offline, commit fraud, introduce malware, and otherwise intentionally or unintentionally injure patients.

Some health care organizations have already experienced cyber security incidents involving networked medical devices. One hospital had to take its patient monitoring system offline for several hours after discovering it was infected with the Conficker virus. Another hospital had to shut off its automated medication management dispensing system for a few hours because it was infected with malware.

“Even though the information security and privacy risks associated with networked medical devices have only recently begun to emerge, security leaders at health care provider organizations are implementing a range of practices designed to mitigate them,” says Russell Jones, a partner with Deloitte & Touche LLP’s Security & Privacy practice.

Those measures include:

Inventorying and placing tighter controls on existing devices. Some hospitals are establishing a single, centralized inventory of networked medical devices and keeping it up to date, according to Jones. They stratify their inventories by wired, wireless, and legacy (those in service more than five years) technology, and classify devices based upon the degree to which they’re critical to patient health.

Raising awareness of medical device security issues. Clinical and biomedical engineers, physicians and even chief medical information officers may not fully appreciate the security, patient safety and privacy risks associated with networked medical devices. Consequently, many security leaders have had to establish or enhance education and awareness programs for those stakeholders that highlight devices’ vulnerabilities and explain potential threats, according to Mr. Jones. “This may include incorporating analysis of threats, vulnerabilities, and risks into reports for senior executives, or presenting findings at brown bag lunches and other special briefings geared toward business and clinical leadership,” he says.

Incorporating security into procurement policies for new devices. “The health care and procurement professionals who typically purchase new medical devices are often unaware of the security risks those devices may pose,” observes Mark Ford, a principal with Deloitte & Touche LLP’s Security & Privacy practice. To compensate for their blind spots, some health care organizations have added security and privacy evaluations and requirements into the procurement process. They test the security features and vulnerabilities of products under consideration, and ask device makers to fill out and submit the “Manufacturer Disclosure Statement for Medical Device Security” (or an equivalent), a questionnaire created by nonprofit health care industry organization HIMSS, which promotes the use of information technology in the delivery of health care. Additionally, they incorporate ongoing security support and maintenance into contracts with device makers, Mr. Ford notes.

Mapping data flows. Some security leaders have identified and documented how networked medical devices store, process, and transmit regulated data, such as protected health information, inside their organizations. “Understanding the movement of sensitive data and mapping interfaces between medical devices and downstream systems is critical to understanding what data may be at risk in the event of a medical device security breach,” says Mr. Ford.

Instituting physical security, disaster recovery and resiliency measures. While interviewing security leaders from nine health care organizations for a study on patient safety and medical device security, Deloitte & Touche LLP practitioners found that five of the leaders put in place physical safeguards to reduce the risk of theft or damage to networked medical devices. These safeguards include bolstering encryption and authentication controls; locking down devices; retaining spare components in case of device failure, damage, or theft; and confirming back-up generators, uninterruptible power supplies, and redundant HVAC systems are in place to protect facilities that house critical-care and life-support medical devices.

Working with device manufacturers. Many security leaders recognize the need to collaborate with device manufacturers in an industrywide effort to improve the security of medical devices and, by association, reduce risk to patient safety. Some currently work with device manufacturers to implement cyber security controls when their organizations procure a new product; others report cyber security incidents to vendors, according to Mr. Jones. “A growing number of security leaders now feel they have to proactively reach out and educate device manufacturers on how to secure medical devices to address regulatory requirements,” he says. “They’re also trying to get device manufacturers to provide security updates, patches and cyber security guidance in a more timely fashion.”

*****

Mr. Jones notes that individuals who wish to exploit medical devices to harm patients or disrupt services have time and resources on their side—two assets often in short supply for security leaders at health care organizations. “To safeguard patients and confidential health information,” says Mr. Jones, “information technology, compliance, and risk executives in health care organizations may need to pool their resources and collectively address current and future medical device security risks.”